[Snort-sigs] SID 510

Warchild warchild at ...288...
Fri Feb 15 18:10:23 EST 2002


Hrm, I smell duplicate rules....


Rule:
--
alert tcp $EXTERNAL_NET any -> $HOME_NET 9000:9002 (msg:"INFO HP
JetDirect LCD modification attempt"; flags:A+; content:"@PJL RDYMSG
DISPLAY ="; classtype:misc-activity; reference:bugtraq,2245;
reference:arachnids,302; sid:510; rev:3;) 

Sid:
--
510

Summary:
--
An attempt to change the message on the LCD display on a
JetDirect-enabled HP printer was detected.

--
Impact:
User confusion and comedy, mostly.

--
Detailed Information:
The HP JetDirect printers allow remote machines to change the message
that is displayed on the LCD panel. 

--
Attack Scenarios:
As part of an attempt to confuse and annoy users, an attacker may
attempt to change the previously mentioned message.  
__
Ease of Attack:
Relatively simple.  All that is required is a way to connect to the
JetDirect port of the victim printer and a minimal knowledge of how
JedDirect works.  A telnet/nc client would suit the job well, but
there are also many featureful programs that'll allow you to
accomplish the same ends.

--
False Positives:
This rule will get triggered everytime a legitimate print job is
executed and the display is updated.

--
False Negatives:
None.

--
Corrective Action:
Update to the latest JetDirect, and investigate the possibility of
restricting access to a central print-server using the "allow: <ip>
<netmask>" directive in a printer config file. 

--
Contributors:
Jon Hart <jhart at ...289...>
Warchild <warchild at ...288...>

-- 
Additional References:






More information about the Snort-sigs mailing list